1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Security issue?

Discussion in 'Plesk for Linux - 8.x and Older' started by dinfiesta, Apr 24, 2006.

  1. dinfiesta

    dinfiesta Guest

    0
     
    Using this simple cgi,

    #!/usr/bin/perl

    print <<HTML;
    Content-type: text/html

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title></title>
    <meta http-equiv="Content-Type" content="text/html">
    <link rel="stylesheet" type="text/css" href="../../css/style.css">
    </head>
    <body>
    <table cellspacing="0" cellpadding="0" border="0">
    <tr class="subhead" align="Left"><th>Name</th><th>Value</th></tr>
    HTML

    my $class;

    $prueba=system("/bin/ls -laR /var/log");
    print $prueba."<br>\n";
    foreach (sort keys %ENV) {
    next unless /^HTTP_|^REQUEST_/;
    $class = ($class ne 'normal')? 'normal': 'alt';
    print <<HTML;
    <tr class="$class"><td valign="top">$_</td><td>$ENV{$_}</td></tr>
    HTML
    }

    print <<HTML;
    </table>
    </body>
    </html>
    HTML

    I´m able to browse log files...is there a way to limit this?
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Not with perl, no
     
  3. knocx

    knocx Guest

    0
     
    is there a way to secure perl run time each part of the server is accessible via perl!
     
  4. DerFalk

    DerFalk Guest

    0
     
    @atomicturtle
    not even with mod_security?
     
  5. knocx

    knocx Guest

    0
     
    mod security only reads querystrings

    and it can not monitor hardcoded perl calls i.e

    $ mydir = `/bin/ls -l /etc`
    print @mydir

    ...etc

    i advice you to disable perl cgi
    serverwide or limit access to your critical binaries
     
  6. chrisl@

    chrisl@ Guest

    0
     
    Any scripting language you give access to your clients is a potential security risk. Not sure you can avoid this unless you give every client there on virtual machine. You will have this problem with PHP and other languages as well, disabling perl does not solve your problem. You will need to disable all CGI which will cripple your clients.

    -chrisl
     
  7. knocx

    knocx Guest

    0
     
    perl does not have an access control but php does. i.e safe_mode ..etc

    comparing perl and php is not correct they work totally different
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Right, with php you can at least control what functions are available through php.ini, chroot with open_basedir, etc. With perl its pretty much open to anything you want to do, which incidentally is how you get around things like noexec on /tmp (save badguyfile to /tmp, then perl /tmp/badguyfile).

    I guess I should have drilled into this a bit further earlier in the thread, there are some things you can do, but its all quite complicated and not at all flexible. Grsecurity, and SELinux both have the ability to establish "roles" around an account, or an application. So you could create ACL's on what that user (eg, perl apps run as the user) or on the process. On a scale of 1 to 10, I put writing rules for SELinux to do this around 9. GRsec is a bit easier since it has a learning mode, I'd put that around a 6. Ive worked on some generic policies for PSA environments to touch on this specifically, and I've never come up with anything really usable across a lot of systems.
     
  9. knocx

    knocx Guest

    0
     
    hello art what is the best solution with plesk for perl :)

    i used to specially chmod critical dirs to restrict access like /etc , /root, /var ....etc via perl.

    however psa users are members of psacln and anyone can easily read the others code
    under /./././vhosts and this is annoying.
    since some one can easily compromise other clients MySQL password with perl.

    i think we need bastille PLESK :)

    any ideas
     
  10. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Best is relative, as I said, theres no way to write generic ACL's to do this as safely as you can do in php. In my case, it took less time and effort to just convert anything I was using to php.
     
  11. knocx

    knocx Guest

    0
     
    sure , but the problem is some clients demands perl :(
     
  12. 0031

    0031 Guest

    0
     
    Do not provide mod_perl for them - provide perl as CGI. In CGI mode, due to suexec mechanism, users shouldn't be able to see other users directories content.

    mod_perl runs as apache:apache and is not chrooted. Therefore it has access to all files, which apache has.
     
  13. knocx

    knocx Guest

    0
     
    will commenting Module ModPerl on httpd.conf removes mod_perl support globally?
     
  14. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    you can also just remove the rpm (yum remove mod_perl)
     
  15. knocx

    knocx Guest

    0
     
    hello art; when i try to remove mod_perl

    Removing:
    mod_perl i386 1.99_16-4.centos4 installed 3.7 M
    Removing for dependencies:
    frontpage i586 5.0-72psa.centos4.2 installed 30 M
    psa i586 8.0.1-centos4.2.build80060613.20 installed 94 M
    psa-agent noarch 1.4.1-80060613.20 installed 0.0
    psa-api noarch 8.0.1-centos4.2.build80060904.19 installed 2.6 M
    psa-api-rpc noarch 8.0.1-centos4.2.build80060904.19 installed 994 k
    psa-backup-manager i586 8.0.1-centos4.2.build80060904.19 installed 1.5 M
    psa-horde noarch 3.1.2-centos4.2.build80060713.16 installed 23 M
    psa-hotfix1 i586 8.0.1-centos4.2.build80060618.11 installed 45 k
    psa-hotfix2 i586 8.0.1-centos4.2.build80060713.16 installed 21 M
    psa-hotfix4 i586 8.0.1-centos4.2.build80060728.17 installed 213 k
    psa-hotfix5 i586 8.0.1-centos4.2.build80060903.14 installed 132 k
    psa-imp noarch 4.1.1-centos4.2.build80060613.20 installed 13 M
    psa-libpam-plesk i586 8.0.1-centos4.2.build80060613.20 installed 1.2 M
    psa-migration-manager i586 8.0.1-centos4.2.build80060904.19 installed 9.9 M
    psa-watchdog i586 2.0.1-centos4.2.build80060613.20 installed 2.4 M

    i see that there are 16 depentant packages and some of them are core packages like psa

    how can you remove mod_perl on a plesk box?
     
Loading...